We were a bit surprised by the sudden reaction today. We have been using reCaptcha as one tool (among many) to fight abuse for years now. For example, here's a thread from 4 years ago mentioning it [1]. It is triggered most often for signup, but it can also appear for password reset, username lookup, sending mail, payments, login, and any other api routes which can be abused.
That said, we can also understand the reaction. Back in 2014, there were no viable alternatives. Today, there is one alternative, and we started the transition to hCaptcha earlier this year, and will complete it in the coming weeks.
For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day. On really bad days, Captcha can appear for nearly 1% of legitimate users (some who are unwittingly part of the botnet), while blocking nearly all of the malicious attempts.
> For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day
Ah yes. All those insecure IoT and unpatched/unpatchable routers that are discoverable on shodan and ultimately end up joining giant botnets. They are a plague not just to ProtonMail.
TBH, I’ve never seen a Captcha. But then I’d tend to use your service via mutt/bridge or the iOS app. And I have MFA enabled.
I don’t think you quite understand what security through obscurity means. It’s not an invitation to help malicious actors pen-test your system by publishing information about it.
That said, we can also understand the reaction. Back in 2014, there were no viable alternatives. Today, there is one alternative, and we started the transition to hCaptcha earlier this year, and will complete it in the coming weeks.
For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day. On really bad days, Captcha can appear for nearly 1% of legitimate users (some who are unwittingly part of the botnet), while blocking nearly all of the malicious attempts.
[1] https://www.reddit.com/r/ProtonMail/comments/5z70cd/when_sig...